2:45 p.m.
Thoughts on some possible ways to handle mobile aspects with Keycloak.
Its just a very brief outline of some of the options to get a
conversation started. I tried to brief as possible, but the email is
still a bit long :/
Mobile web app
Works similar to how any normal web app would work with keycloak. Only
changes really needed would be to make sure the login pages and such are
designed to work properly on varying sizes of touchscreens.
Native Mobile App Approaches
1)Native mobile app accessing keycloak through a custom webview.
Its possible for a native application to create a webview and load the
web components of keycloak through this. Requires some changes to
keycloak to return the token to the application since using a normal
redirect url isn't feasible.
For social login there are a lot of problems with this approach. Its a
custom webview, so the user will always have to enter their credentials
(which defeats the point of social login as being easy). Its also a huge
trust issues since a custom webview can easily steal credentials or
spoof the content. Facebook will be blocking logins using webviews this
fall due to the security concerns and will require using their sdk
instead, other social networks may soon follow.
2)Native mobile app accessing a native keycloak service.
A native keycloak service could be created to be run on the mobile
device which would handle account registration and login. The idea here
is that the native keycloak component would be in contact with the
keycloak server and would be managed there. This component would also
register itself as an account authenticator so that other apps can use
keycloak for authentication (in the same manner as apps do now for other
social logins).
It would use the native social sdk or system account management system
to perform social login. Once a social token is retrieve in the native
keycloak component it would be sent to the keycloak server for
verification and return a keycloak token.
Note: just to be clear, the keycloak mobile component would not be
keycloak re-written on a mobile device. Most of what happens will still
be done on the server side and it would be managed from the server's
admin console.
Thoughts on the native app approaches:
1 is a non-optimal user experience with some trust/security issues, and
already is going to be blocked by some social providers. But it requires
the least amount of native code and most things still remain on the
server side.
2 requires a lot more native code to be written and requires a lot more
changes to keycloak on the server side. But it provides a much nicer
user experience and would act the same way as current authentication
providers do to applications. There is also less issues with social
providers blocking access since we would be using the approved and
recommended methods.
Any thoughts on this? I am still catching up on keycloak so some of my
assumptions may be a bit off in a few areas.
- Matt Wringe
3:14 p.m.
On 8/14/2013 2:45 PM, Matt Wringe wrote:
Thoughts on some possible ways to handle mobile aspects with
Keycloak.
Its just a very brief outline of some of the options to get a
conversation started. I tried to brief as possible, but the email is
still a bit long :/
Mobile web app
Works similar to how any normal web app would work with keycloak. Only
changes really needed would be to make sure the login pages and such are
designed to work properly on varying sizes of touchscreens.
Native Mobile App Approaches
1)Native mobile app accessing keycloak through a custom webview.
Its possible for a native application to create a webview and load the
web components of keycloak through this. Requires some changes to
keycloak to return the token to the application since using a normal
redirect url isn't feasible.
On iphone you can redirect to and from native apps using URLs. So it
would be possible to use the Keycloak web login and redirects with
iphone. Are you sure Android doesn't have something similar?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
4:07 p.m.
On Wed 14 Aug 2013 03:14:41 PM EDT, Bill Burke wrote:
On 8/14/2013 2:45 PM, Matt Wringe wrote:
> Thoughts on some possible ways to handle mobile aspects with Keycloak.
> Its just a very brief outline of some of the options to get a
> conversation started. I tried to brief as possible, but the email is
> still a bit long :/
>
> Mobile web app
> Works similar to how any normal web app would work with keycloak. Only
> changes really needed would be to make sure the login pages and such are
> designed to work properly on varying sizes of touchscreens.
>
>
> Native Mobile App Approaches
>
> 1)Native mobile app accessing keycloak through a custom webview.
> Its possible for a native application to create a webview and load the
> web components of keycloak through this. Requires some changes to
> keycloak to return the token to the application since using a normal
> redirect url isn't feasible.
On iphone you can redirect to and from native apps using URLs. So it
would be possible to use the Keycloak web login and redirects with
iphone. Are you sure Android doesn't have something similar?
Yeah, you can of course use urls like that in Android.
Normally the way its handled in this situation is to run web server on
the device at localhost (which is what I meant by a normal url and why
its not being really feasible) or to use a special redirect value and
pass the token in a special manner (what you are suggesting).
The way google handles it is either the localhost redirect or using a
special urn as the redirect (urn:ietf:wg:oauth:2.0:oob) and making the
token the page title.
I had a simple hacked up prototype which returned a token as part of a
a redirect urn (urn:foo:bar:token:123456789) and a custom webview would
look for the value.
I don't see the value in redirecting between applications using urls
like this though, handling it within one webview seem to make more
sense to me. Can you explain what use case that would be?
4:27 p.m.
On 8/14/2013 4:07 PM, Matt Wringe wrote:
On Wed 14 Aug 2013 03:14:41 PM EDT, Bill Burke wrote:
>
>
> On 8/14/2013 2:45 PM, Matt Wringe wrote:
>> Thoughts on some possible ways to handle mobile aspects with Keycloak.
>> Its just a very brief outline of some of the options to get a
>> conversation started. I tried to brief as possible, but the email is
>> still a bit long :/
>>
>> Mobile web app
>> Works similar to how any normal web app would work with keycloak. Only
>> changes really needed would be to make sure the login pages and such are
>> designed to work properly on varying sizes of touchscreens.
>>
>>
>> Native Mobile App Approaches
>>
>> 1)Native mobile app accessing keycloak through a custom webview.
>> Its possible for a native application to create a webview and load the
>> web components of keycloak through this. Requires some changes to
>> keycloak to return the token to the application since using a normal
>> redirect url isn't feasible.
>
> On iphone you can redirect to and from native apps using URLs. So it
> would be possible to use the Keycloak web login and redirects with
> iphone. Are you sure Android doesn't have something similar?
Yeah, you can of course use urls like that in Android.
Normally the way its handled in this situation is to run web server on
the device at localhost (which is what I meant by a normal url and why
its not being really feasible) or to use a special redirect value and
pass the token in a special manner (what you are suggesting).
Why the need for local webserver? ON iphone at least, the native app
would redirect to a keycloak.org URL in browser
http://keycloak.org/client_id=... Browser would do the facebook login,
then browser would redirect back to app with the access code embedded
within the URL. Then the app would make an internal HTTP call to
keycloak to obtain the token. Traditional OAuth. Don't see why you
need all the other tricks you are talking about...
Here's an example of using URLs to web provision a native app:
http://code.google.com/p/oathtoken/wiki/WebProvisioning
On iphone you can bind a protocol to an app, so keycloak would just
redirect to myapp://login?all&the&oauth¶meters&needed
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
5 p.m.
On Wed 14 Aug 2013 04:27:12 PM EDT, Bill Burke wrote:
On 8/14/2013 4:07 PM, Matt Wringe wrote:
> On Wed 14 Aug 2013 03:14:41 PM EDT, Bill Burke wrote:
>>
>>
>> On 8/14/2013 2:45 PM, Matt Wringe wrote:
>>> Thoughts on some possible ways to handle mobile aspects with Keycloak.
>>> Its just a very brief outline of some of the options to get a
>>> conversation started. I tried to brief as possible, but the email is
>>> still a bit long :/
>>>
>>> Mobile web app
>>> Works similar to how any normal web app would work with keycloak. Only
>>> changes really needed would be to make sure the login pages and
>>> such are
>>> designed to work properly on varying sizes of touchscreens.
>>>
>>>
>>> Native Mobile App Approaches
>>>
>>> 1)Native mobile app accessing keycloak through a custom webview.
>>> Its possible for a native application to create a webview and load the
>>> web components of keycloak through this. Requires some changes to
>>> keycloak to return the token to the application since using a normal
>>> redirect url isn't feasible.
>>
>> On iphone you can redirect to and from native apps using URLs. So it
>> would be possible to use the Keycloak web login and redirects with
>> iphone. Are you sure Android doesn't have something similar?
>
> Yeah, you can of course use urls like that in Android.
>
> Normally the way its handled in this situation is to run web server on
> the device at localhost (which is what I meant by a normal url and why
> its not being really feasible) or to use a special redirect value and
> pass the token in a special manner (what you are suggesting).
>
Why the need for local webserver? ON iphone at least, the native app
would redirect to a keycloak.org URL in browser
http://keycloak.org/client_id=... Browser would do the facebook
login, then browser would redirect back to app with the access code
embedded within the URL. Then the app would make an internal HTTP
call to keycloak to obtain the token. Traditional OAuth. Don't see
why you need all the other tricks you are talking about...
Here's an example of using URLs to web provision a native app:
http://code.google.com/p/oathtoken/wiki/WebProvisioning
On iphone you can bind a protocol to an app, so keycloak would just
redirect to myapp://login?all&the&oauth¶meters&needed
Hmm, interesting, its a nice clean way of handling it that I didn't
really think of. I wonder why none the documentation on for how to
perform social login on mobile devices mentions doing it this way. The
only downside is other than google, I don't think most people log into
these sites using the mobile browser, they usually use the login via
the mobile app.
5:24 p.m.
On 8/14/2013 5:00 PM, Matt Wringe wrote:
On Wed 14 Aug 2013 04:27:12 PM EDT, Bill Burke wrote:
>
>
> On 8/14/2013 4:07 PM, Matt Wringe wrote:
>> On Wed 14 Aug 2013 03:14:41 PM EDT, Bill Burke wrote:
>>>
>>>
>>> On 8/14/2013 2:45 PM, Matt Wringe wrote:
>>>> Thoughts on some possible ways to handle mobile aspects with Keycloak.
>>>> Its just a very brief outline of some of the options to get a
>>>> conversation started. I tried to brief as possible, but the email is
>>>> still a bit long :/
>>>>
>>>> Mobile web app
>>>> Works similar to how any normal web app would work with keycloak. Only
>>>> changes really needed would be to make sure the login pages and
>>>> such are
>>>> designed to work properly on varying sizes of touchscreens.
>>>>
>>>>
>>>> Native Mobile App Approaches
>>>>
>>>> 1)Native mobile app accessing keycloak through a custom webview.
>>>> Its possible for a native application to create a webview and load the
>>>> web components of keycloak through this. Requires some changes to
>>>> keycloak to return the token to the application since using a normal
>>>> redirect url isn't feasible.
>>>
>>> On iphone you can redirect to and from native apps using URLs. So it
>>> would be possible to use the Keycloak web login and redirects with
>>> iphone. Are you sure Android doesn't have something similar?
>>
>> Yeah, you can of course use urls like that in Android.
>>
>> Normally the way its handled in this situation is to run web server on
>> the device at localhost (which is what I meant by a normal url and why
>> its not being really feasible) or to use a special redirect value and
>> pass the token in a special manner (what you are suggesting).
>>
>
> Why the need for local webserver? ON iphone at least, the native app
> would redirect to a keycloak.org URL in browser
> http://keycloak.org/client_id=... Browser would do the facebook
> login, then browser would redirect back to app with the access code
> embedded within the URL. Then the app would make an internal HTTP
> call to keycloak to obtain the token. Traditional OAuth. Don't see
> why you need all the other tricks you are talking about...
>
> Here's an example of using URLs to web provision a native app:
>
> http://code.google.com/p/oathtoken/wiki/WebProvisioning
>
> On iphone you can bind a protocol to an app, so keycloak would just
> redirect to myapp://login?all&the&oauth¶meters&needed
Hmm, interesting, its a nice clean way of handling it that I didn't
really think of. I wonder why none the documentation on for how to
perform social login on mobile devices mentions doing it this way.
Don't know. Maybe there is something I'm missing?? But I've seen
custom URLs work very nicely in iphone programming.
The
only downside is other than google, I don't think most people log into
these sites using the mobile browser, they usually use the login via the
mobile app.
Isn't it the same decision on whether to use a social library to help
you implement social login vs. a social broker hosted on another server?
Why even have Keycloak for native mobile apps? They can use existing
native mobile app libraries to perform social login.
Do facebook et. al. even have a direct non-browser, non-OAuth approach
to login?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10:34 a.m.
On 14/08/13 05:24 PM, Bill Burke wrote:
On 8/14/2013 5:00 PM, Matt Wringe wrote:
> On Wed 14 Aug 2013 04:27:12 PM EDT, Bill Burke wrote:
>>
>>
>> On 8/14/2013 4:07 PM, Matt Wringe wrote:
>>> On Wed 14 Aug 2013 03:14:41 PM EDT, Bill Burke wrote:
>>>>
>>>>
>>>> On 8/14/2013 2:45 PM, Matt Wringe wrote:
>>>>> Thoughts on some possible ways to handle mobile aspects with
>>>>> Keycloak.
>>>>> Its just a very brief outline of some of the options to get a
>>>>> conversation started. I tried to brief as possible, but the email is
>>>>> still a bit long :/
>>>>>
>>>>> Mobile web app
>>>>> Works similar to how any normal web app would work with keycloak.
>>>>> Only
>>>>> changes really needed would be to make sure the login pages and
>>>>> such are
>>>>> designed to work properly on varying sizes of touchscreens.
>>>>>
>>>>>
>>>>> Native Mobile App Approaches
>>>>>
>>>>> 1)Native mobile app accessing keycloak through a custom webview.
>>>>> Its possible for a native application to create a webview and
>>>>> load the
>>>>> web components of keycloak through this. Requires some changes to
>>>>> keycloak to return the token to the application since using a normal
>>>>> redirect url isn't feasible.
>>>>
>>>> On iphone you can redirect to and from native apps using URLs. So it
>>>> would be possible to use the Keycloak web login and redirects with
>>>> iphone. Are you sure Android doesn't have something similar?
>>>
>>> Yeah, you can of course use urls like that in Android.
>>>
>>> Normally the way its handled in this situation is to run web server on
>>> the device at localhost (which is what I meant by a normal url and why
>>> its not being really feasible) or to use a special redirect value and
>>> pass the token in a special manner (what you are suggesting).
>>>
>>
>> Why the need for local webserver? ON iphone at least, the native app
>> would redirect to a keycloak.org URL in browser
>> http://keycloak.org/client_id=... Browser would do the facebook
>> login, then browser would redirect back to app with the access code
>> embedded within the URL. Then the app would make an internal HTTP
>> call to keycloak to obtain the token. Traditional OAuth. Don't see
>> why you need all the other tricks you are talking about...
>>
>> Here's an example of using URLs to web provision a native app:
>>
>> http://code.google.com/p/oathtoken/wiki/WebProvisioning
>>
>> On iphone you can bind a protocol to an app, so keycloak would just
>> redirect to myapp://login?all&the&oauth¶meters&needed
>
> Hmm, interesting, its a nice clean way of handling it that I didn't
> really think of. I wonder why none the documentation on for how to
> perform social login on mobile devices mentions doing it this way.
Don't know. Maybe there is something I'm missing?? But I've seen
custom URLs work very nicely in iphone programming.
It must be something used more on iphone than android. I don't think I
have ever seen an application which opens a browser to perform a task
and then waits for a callback for it to complete. You can do it this
way, I have just never seen it used. Normally it more of a open way type
of thing, click this link and open this application. Then again, I just
may not be using the same types of mobile apps.
The only other thing I can think of why they don't do it this way is
that its kindof a weird situation when the token expires. The browser
would have to be opened again, but if the user is already authenticated
in the browser it would return a token right away. So to the user the
browser would open, maybe display a brief message about retrieving the
token, and then just close again. Using an embedded webview prevents
this, but then we run into the issues that a custom webview has.
> The
> only downside is other than google, I don't think most people log into
> these sites using the mobile browser, they usually use the login via the
> mobile app.
Isn't it the same decision on whether to use a social library to help
you implement social login vs. a social broker hosted on another server?
What I meant here is that on my desktop browser I am already logged into
my social accounts. Since I am already logged in, when I access
something like keycloak, I just get a notification asking if I want to
grant keycloak authorization.
On my mobile devices, I use the mobile apps and not the browser. So when
I use something like keycloak in a mobile browser, I will be asked to
log into my social account first and then asked to grant keycloak
authorization. But this is really just one more step, which I don't
think is a big problem.
Why even have Keycloak for native mobile apps? They can use existing
native mobile app libraries to perform social login.
Why even have keycloak to begin with for any application. You can just
use existing sdks and app libraries for normal web sites as well. Any
argument for why a web application would want social login is going to
be exactly the same for a native application.
Native apps which would require social login are not just standalone
applications, if they were there would be no point in doing any sort of
login in the first place.
The native app is going to be communicating with a web application to
get and store information there. If my web application is using keycloak
to authenticate users, then my mobile app needs a way to authenticate
against it as well.
Normally what happens here is that the mobile app get the token from the
social provider and passes it to the web application. The web
application then verifies that the token is correct and uses it to
retrieve the users profile data on the social providers server. You
register both the web application and the native application with the
social provider as being the same client application, so that the token
from the native app can be used by the web app
(cross-client/cross-platform authentication).
Perhaps I am not explaining this very well or I am not understanding
your questions.
Do facebook et. al. even have a direct non-browser, non-OAuth
approach
to login?
There are two main native approaches, and they still use oauth:
1) still uses regular oauth, but instead of getting the token directly
from the social provider's authorization server you get it from the
account manager on the device (each social provider writes their own
authorization service which is still essentially contacting their
authorization server in the background). You still have provide what
scope you want and it will open a native UI asking for authorization if
you have not already granted it. Once you have this token, you use it
exactly the same was as you would on a web app.
2) uses an sdk to abstract out the oauth parts and automatically handles
error conditions and such. It makes it easier to developers to get
social integration up and running. Some, like facebook, are trying to
push using their sdk more exclusively though.
3905
days inactive
3906
days old
6 comments
2 participants
participants (2)
-
Bill Burke -
Matt Wringe